Hoping someone is able to point me in the right direction on configuring a secondary WAN on my cisco ASA.
I believe my issue is security, but I'm not 100%.
The goal is our internal networks (to the DC) go through the interface named "outside", and all other (ie internet) traffic go through "2ndWAN" interface. I've tested this link with a laptop and static IP, and can confirm its working as expected.
2ndWAN is in gb eth 0/2. Port is enabled and given its static IP (as per ISP). In config terminal mode, from the interface, i can ping the default gateway.
Current setup has a route like "outside 0.0.0.0 0.0.0.0 {next hop}".
I deleted that route, and set up a route for internal data to go through that link (its a private link), like this "route outside 192.168.0.0 255.255.0.0 {next hop}" - and this works, i can still contact my other sites.
I then enter a route for all other traffic to go through the 2nd WAN - "route {2ndWAN} 0.0.0.0 0.0.0.0 {next hop}". From the interface, i can ping internet fine.
Devices on my LAN can ping my 192.168.0.0 subnets, but cannot ping internet, packets not getting further than the ASA.
This leads me to think that its security settings I need to change, but I can't copy the settings from the "outside" interface, because its all open (private link to DC). The closest working config i have to copy from is the router in my DC, but its got a LOT of extra stuff that I wont need for this branch's router, and I dont yet have the eye to pick what i do and dont need with certainty.
I'm a little confused about when, where and how to use access-lists and access-groups, and if this is even the correct direction to be heading in? Maybe i've made a mistake with the route?
I did try briefly "access-list {2ndWAN} extended permit ip any any" (copying the "outside" configuration) with the rationale being "open the firewall to check its the firewall", but that didn't change anything.
No comments:
Post a Comment